Easy-RSA version 3.2.1 - Significant Changes:
Honorable Memorandum: 2024 USA Election.
Add decimal serial number value to inline files:
- For use with OpenVPN
--verify-crlcommand.
Create OpenVPN style TLS-AUTH and TLS-Crypt keys:
- Use command
gen-tls-auth-key/gen-tls-crypt-key. (TLS-Crypt-V2 is not included)
Add simple way to effectively renew an expired CA certificate:
- Use
init-pkicommand optionsoft, to retain certificate signing request files. Facilitating signing old requests with a new CA. Also keep TLS-KEYS, which are known to be in use. - Full details:
doc/EasyRSA-Renew-and-Revoke.md#renew-ca-certificate
New global command options for critical X509 Attibutes:
--bc-crit- MarkbasicConstraintsascritical--ku-crit- MarkkeyUsageascritical--eku-crit- MarkextendedKeyUsageascritical--san-crit- MarksubjectAltNameascritical
New global option --auto-san:
- Force automatic
subjectAltName.
Command write syntax change:
- Allow specific target-file as command option.
- Reqire specific command option
overwrite, to enable overwriting an existing file.
ChangeLog:
- inline: Add decimal value for cert. serial (Linux Only) (b33038e) (#1222)
- Always exit with error for unknown command options (Except nopass) (#1221)
(build-ca: b2f7912); (gen-req: 07f21d3); (build_full(): 0ff7f4c);
(export_pkcs(): 2c51288); (set-pass: 1266d4e) - Integrate Easy-RSA TLS-Key for use with 'init-pki soft' (03d9dc2) (#1220)
Note: Inline files that contain private key data are now created in sub-dir
'pki/inline/private'. - easyrsa-tools.lib, show-expire: Add CA certificate to report (a36cd54) (#1215)
- inline: OpenVPN TLS Keys inlining for TLS-AUTH, TLS-CRYPT-V1 (6e9e4a2) (#1185)
Note: Command inline only writes directly to inline file not stdout. - easyrsa-tools.lib: OpenVPN TLS Key gen. TLS-AUTH, TLS-CRYPT-V1 (cf0da16) (#1185)
- easyrsa-tools.lib: expire_status_v2() (show-expire version 2) (1e43bf5) (#1214)
- sign-req: Require 128bit serial number (806ee19) (#1213)
- Move command 'verify-cert' to Tools-lib; drop 'verify' shortcut (ddbf304) (#1209)
- Windows secure_session(): Ensure $secured_session dir is created (d99b242) (#1203)
- Switch to '-f' for file existence (6ab98c9..a02f545) (#1201)
- inline: Move auto-inline from build_full() to sign_req() (823f70f) (#1201)
- gen-crl: Create additional CRL in DER format (69df0d8) (#1198)
- self-sign: Allow Edwards Curve based keys (81b749b) (#1197)
- Re-enable command 'renew' (version 2): Requires EasyRSA Tools (30fe311) (#1195)
- bug-fix: revoke: Pass the correct certificate location (24d5514)
- vars.example: Add flags for auto-SAN and X509 critical attribute (a41dfcc)
- Global option --eku-crit: Mark X509 extendedKeyUsage as critical (ca09211)
- sign-req: Add critical and pathlen details to confirmation (deae705) (#1182)
- export-p12: Automatically generate inline file (9d90370) (#1181)
- Introduce global option --auto-san, use commonName as SAN (5c36d44) (#1180)
- Introduce global option --san-crit, mark SAN critical (dd69f50) (#1179)
- Introduce new global options: --ku-crit and --bc-crit (b79abee) (#1176)
- gen-req: Always check for existing request file (7eab98e) (#1177)
- revoke/revoke-expired/-renewed: Keep duplicate certificate (3da7f66) (#1177)
- revoke-expired/-renewed: Keep req/key files for resigning (4537ae7) (#1177)
- revoke: Add abbreviations for optional 'reason' (a88ccc7) (#1173)
- build-ca: Allow use of --req-cn without batch mode (b77a0fb) (#1170)
- gen-req: Re-enable use of --req-cn (5cf8c46) (#1170)
- write: Change syntax, target as file, not directory (722ce54) (#1165)
What's Changed
- Use standard indentation rules for 'case' by @TinCanTech in #1142
- easyrsa_mkdir(): Remove use of 'mkdir -p', use only 'mkdir' by @TinCanTech in #1145
- Unit-test: Add Old expansion test on nix (EASYRSA_FORCE_SAFE_SSL) by @TinCanTech in #1151
- easyrsa_openssl(): Always export $OPENSSL_CONF as $EASYRSA_SSL_CONF by @TinCanTech in #1150
- easyrsa-tools.lib: Add 'locate_support-files' to recreate temp-session by @TinCanTech in #1153
- Tools lib call ssl direct by @TinCanTech in #1156
- easyrsa_mktemp(): Make variable names more unique to avoid conflicts by @TinCanTech in #1157
- Introduce Global Safe SSL config and Local SSL config by @TinCanTech in #1163
- Introduce write_legacy_file_v2() by @TinCanTech in #1165
- display_dn(): Remove excess subshell by @TinCanTech in #1166
- Fix minor typos by @NathanBaulch in #1169
- Command gen-req: Re-enable global option --req-cn - Includes build_full() by @TinCanTech in #1170
- Command revoke: Add abbreviations for optional 'reason' by @TinCanTech in #1173
- Command revoke: Add confirmation for possible misuse by @TinCanTech in #1174
- Command revoke: Do not remove duplicate certificate by serial by @TinCanTech in #1177
- Introduce new global options: --ku-crit and --bc-crit by @TinCanTech in #1176
- Introduce global option --san-crit, mark SAN critical (RFC2459) by @TinCanTech in #1179
- Introduce global option --auto-san, use commonName as SAN by @TinCanTech in #1180
- export-p12: Automatically generate inline file by @TinCanTech in #1181
- sign-req: Add critical and pathlen details to confirmation dialogue by @TinCanTech in #1182
- Auto-SAN: Correct rexeg, exclude non-numeric chars by delimiting by @TinCanTech in #1184
- Global option --eku-crit: Mark X509 extendedKeyUsage as critical by @TinCanTech in #1188
- revoke: Pass the correct certificate location to revoke function by @TinCanTech in #1191
- Rewrite renew by @TinCanTech in #1195
- self-sign: Allow Edwards Curve based keys by @TinCanTech in #1197
- gen-crl: Create additional CRL in DER format by @TinCanTech in #1198
- Inline v2 by @TinCanTech in #1201
- Windows secure_session(): Ensure $secured_session directory is created by @TinCanTech in #1203
- Windows secure_session(): Minimize and document specific race conditon by @TinCanTech in #1205
- verify_ssl_lib(): Correct verbose message by @TinCanTech in #1208
- Move command 'verify-cert' to Tools-lib; drop 'verify' shortcut by @TinCanTech in #1209
- inline: Comment out missing files and add instructions for rebuilding by @TinCanTech in #1212
- sign-req: Require 128bit serial number by @TinCanTech in #1213
- easyrsa-tools.lib: expire_status_v2() (show-expire version 2) by @TinCanTech in #1214
- TLS key system v1 by @TinCanTech in #1185
- show-expire: Add CA certificate to report by @TinCanTech in #1215
- easyrsa-tools.lib: Rename will_cert_expire() -> is_cert_valid() by @TinCanTech in #1216
- init-pki: Add second confirmation to promote use of option 'soft' by @TinCanTech in #1217
- Minor corrections by @TinCanTech in #1218
- Integrate Easy-RSA TLS-Key for use with 'init-pki soft' by @TinCanTech in #1220
- doc: Revoke and Renew, update for Easy-RSA v3.2.1 by @TinCanTech in #1219
- V321 final touches by @TinCanTech in #1221
- inline: Add decimal value for certificate serial number (Linux Only) by @TinCanTech in #1222
New Contributors
- @NathanBaulch made their first contribution in #1169
Full Changelog: v3.2.0...v3.2.1